b'ANALYSIS OF PERSONNEL RECORDS IMAGING\nSYSTEM (PRIS) SYSTEM/BACKUP FAILURES\nAND PERFORMANCE REVIEW AND\nDEVELOPMENT (PR&D) DATA EXPOSURE\n\n        Audit 2007-039T-01\n          July 25, 2007\n\n\n\n\n          TVA RESTRICTED INFORMATION\n\x0cSynopsis\n\n   We conducted a review to determine (1) the root causes for the\n   PRIS backup and server failures and (2) whether data\n   recovered was adequately protected. In summary, we\n   determined:\n    \xe2\x80\x93 The PRIS backup failure was due to (1) human error and (2) the\n      lack of proper controls which would have detected PRIS was no\n      longer on the master backup schedule and resulted in not having\n      backups performed for PRIS.\n    \xe2\x80\x93 The PRIS server failure was due to hardware failures whose impact\n      was magnified by human error.\n    \xe2\x80\x93 The PR&D data was not adequately secured when regenerated for\n      recovery efforts.\n\n\n                      TVA RESTRICTED INFORMATION                        2\n\x0cBackground\n\n  \xc2\x8b   PRIS is the official repository for TVA personnel documents\n      such as employment applications, offer letters, disciplinary\n      letters, performance evaluations, termination papers, etc.\n  \xc2\x8b   In March 2007, PRIS had two disk drive failures.\n  \xc2\x8b   As Information Services (IS) began work to recover the PRIS\n      system, they discovered a system backup had not been\n      performed.\n  \xc2\x8b   IS began pursuit of other options to restore the data.\n\n\n\n\n                        TVA RESTRICTED INFORMATION                   3\n\x0cTimeline\n  PRIS Backup Failure               PRIS Server Failure                    PR&D Data Exposure\n           June 2006                         March 2007                             March 2007\n\n  Chattanooga Master Backup             PRIS Server Disk Failure 1         PR&Ds regenerated for input into\n  Server replacement \xe2\x80\x93June 2006              March 12, 2007                PRIS\n\n\n\n                                    Contractor replacing disk\n                                    observes disk not rebuilding \xe2\x80\x93         Regenerated PR&Ds placed in\n                                    informs System Administrator           unsecured share \xe2\x80\x93 March 28, 2007\n\n\n\n                                     No follow-up action to make sure      [Redacted] employee copies PRD\n                                    disk drives are correctly rebuilding   information to laptop. Extent of\n                                                                           compromise unknown.\n\n\n                                       PRIS Server Disk Failure 2\n                                             March 15, 2007\n                                        Server was functional for          [Redacted]\n                                      approximately 2 hours before\n                                          catastrophic failure\n\n\n\n PRIS Server Backup schedule was\n                                   Lack of backup data discovered\n not moved to new master backup\n                                   when disk drive hardware\n server.\n                                   destroyed\n\n\n\n                                      IS and HR formulate plan to\n                                     rebuild PRIS data from other\n                                               systems\n\n\n                                       TVA RESTRICTED INFORMATION                                             4\n\x0cObjectives\n\n  \xc2\x8b   Perform a root cause analysis of the PRIS system and backup\n      failures\n  \xc2\x8b   Determine if data recovered was adequately protected\n\n\n\n\n                        TVA RESTRICTED INFORMATION                  5\n\x0cScope/Methodology\n\n  \xc2\x8b   Interviewed IS, Human Resources, and Power System\n      Operations (PSO) personnel\n  \xc2\x8b   Reviewed IS Policies and Procedures\n  \xc2\x8b   Reviewed documentation\n      \xe2\x80\x93 HP Service Desk (HPSD) information\n      \xe2\x80\x93 E-mails related to the PRIS and PR&D events\n      \xe2\x80\x93 PRD folder on temporary share server\n  \xc2\x8b   Fieldwork was conducted in April and May 2007\n  \xc2\x8b   This audit was performed in accordance with generally accepted\n      government auditing standards.\n\n\n                       TVA RESTRICTED INFORMATION                  6\n\x0cFindings\n\n  \xc2\x8b   Root cause of the PRIS backup failure was human error and the\n      lack of proper controls which would have detected:\n       \xe2\x80\x93 The master backup schedule was not properly converted in June\n         2006; and\n       \xe2\x80\x93 A PRIS backup did not exist.\n  \xc2\x8b   Root cause of the PRIS server failure was hardware failures\n      whose impact was magnified by human error.\n  \xc2\x8b   The PR&D data was not adequately secured when regenerated\n      for recovery efforts.\n\n\n\n\n                         TVA RESTRICTED INFORMATION                      7\n\x0cPRIS Backup Failure\n\n  \xc2\x8b   Cause 1: Human error and lack of controls to ensure the\n      proper conversion of the backup schedules\n      \xe2\x80\x93 Inadequate Planning for Conversion\n          \xc2\x8b   Coordination with system administrators to verify backups was not\n              adequate \xe2\x80\x93 System administrators were notified of the conversions;\n              however, there was no explicit requirement for the administrators to\n              verify a backup occurred after the move.\n          \xc2\x8b   Lack of segregation of duties \xe2\x80\x93 No independent verification to ensure\n              all backup schedules were converted to the new system instead the\n              same person who performed the conversion also verified the\n              conversion.\n          \xc2\x8b   Test plan and result documentation not appropriately maintained.\n\n\n\n                           TVA RESTRICTED INFORMATION                                 8\n\x0cPRIS Backup Failure (cont\xe2\x80\x99d)\n\n  \xc2\x8b   Cause 2: Lack of controls to detect a PRIS backup schedule\n      did not exist after June 2006\n      \xe2\x80\x93 No periodic verification required to ensure the master backup\n        schedule is consistent with the customer requirements as defined\n        in the service level agreements\n      \xe2\x80\x93 No automated tool to detect a server was not being backed up\n          \xc2\x8b   Funds were budgeted in fiscal year (FY) 2005 to purchase an\n              automated tool which would have identified servers not being backed\n              up. These funds were used for infrastructure improvements to\n              improve throughput and efficiency of backup operations.\n\n\n\n\n                           TVA RESTRICTED INFORMATION                               9\n\x0cOther Backup Failures\n\n  \xc2\x8b   During the review, the following came to our attention:\n       \xe2\x80\x93 September 2006 \xe2\x80\x93 [Redacted] requested data restore of the [Redacted]\n         system and data was not available\n           \xc2\x8b   Data regarding the [Redacted] was to be backed up to the Regional Operations\n               Center (30 day retention) and Chattanooga (permanent retention).\n           \xc2\x8b   Chattanooga backup began failing and was removed from the schedule by\n               backup personnel because of assumption the Chattanooga backup was a\n               duplicate.\n\n           \xc2\x8b   Data lost for the period March through August 2006.\n\n       \xe2\x80\x93 November 2006 \xe2\x80\x93 Manual Check found a missing backup client\n           \xc2\x8b   Backup personnel were reconciling client list and found one client was missing\n                 \xe2\x80\x93 No documentation to support being dropped from backup\n                 \xe2\x80\x93 Lack of a backup caught by IS and no data loss occurred\n\n\n\n                              TVA RESTRICTED INFORMATION                                        10\n\x0cBackup Failures\n\n  \xc2\x8b   IS Actions Taken:\n       \xe2\x80\x93 Implemented a process to verify servers added or dropped from the\n         master backup schedule are accurate and have proper supporting\n         documentation\n       \xe2\x80\x93 Developed a monitoring program for Windows servers to identify\n         those where no backup was performed\n  \xc2\x8b   TVA management requested the Office of the Inspector General\n      (OIG) perform a verification of backups. This review is currently\n      underway (Audit 2007-039T-02).\n\n\n\n\n                          TVA RESTRICTED INFORMATION                      11\n\x0cPRIS Server Failure\n  \xc2\x8b   PRIS server had two hard drive failures in March 2007\n       \xe2\x80\x93 Server was six to seven years old; normal life span for a server is five years\n       \xe2\x80\x93 Impact from drive failures magnified by human errors\n            \xc2\x8b   System Administrator was not diligent in monitoring drive replacement process\n                  \xe2\x80\x93 When first drive started failing, the system administrator did not verify the existence of a\n                    backup or request a backup be performed\n                  \xe2\x80\x93 The server hard drive configuration was considered stable; therefore, system\n                    administrator assumed the drives would rebuild automatically\n                  \xe2\x80\x93 Insufficient follow-up after drive replacement to verify (1) rebuild process was successful\n                    and (2) manual reconfiguration for this hardware type was performed to activate the hot\n                    spare\n\n       \xe2\x80\x93 HPSD, an asset management tool used by IS, did not have information\n         regarding the criticality and recovery requirements of the systems\n            \xc2\x8b   HPSD did not have a Disaster Recovery level defined for PRIS.\n            \xc2\x8b   The Work Agreement for FY2007 with the business unit specified a DR level of B\n                which requires a return to service of three to seven days with no more than 24\n                hours of data loss. An internal IS email stated the disaster recovery work for\n                PRIS-[Redacted] could be deleted. However, we could not locate a revised work\n                agreement or any indication that the business unit had approved such a change.\n\n\n                                 TVA RESTRICTED INFORMATION                                                   12\n\x0cPR&D Data Exposure\n\n  \xc2\x8b   To help in the PRIS recovery, IS regenerated PR&D forms,\n      which did not contain social security numbers, for\n      approximately 9,000 employees for the period 2001 \xe2\x80\x93 2006.\n  \xc2\x8b   IS personnel failed to exercise adequate security in the\n      handling of sensitive data.\n      \xe2\x80\x93 Sensitive information was placed on an unsecured temporary\n        share where it was available for about two hours\n      \xe2\x80\x93 Sensitive information was accessed by:\n          \xc2\x8b   [Redacted] employee who copied the forms.\n          \xc2\x8b   IS employee who viewed the folder on the server and reported the\n              incident to the system administrators who initiated action to restrict\n              access to the information.\n  \xc2\x8b   We could not determine conclusively the extent of exposure\n      because (1) the temporary share was available to all\n      employees and contractors with a TVA ID, and (2) there were\n      no logs maintained for review.\n                            TVA RESTRICTED INFORMATION                                 13\n\x0cPR&D Data Exposure\n\n  \xc2\x8b   IS Actions Taken: A communiqu\xc3\xa9 was issued to the IS\n      supervising managers instituting a lock down on use of\n      temporary shares for sensitive information and requiring\n      100 percent training of IS personnel in Communication\n      Practice 8.\n  \xc2\x8b   Subsequently, OIG performed a review of temporary share\n      drives in TVA to determine if determine the extent to which\n      personally identifiable information (PII) and/or other sensitive\n      information is being stored on these drives.\n       \xe2\x80\x93 We identified numerous instances of PII and sensitive information\n         stored unsecurely on temporary share drives used by a broad\n         spectrum of TVA employees. (See Audit 2007-10997 for\n         additional information and recommendations.)\n\n\n                         TVA RESTRICTED INFORMATION                          14\n\x0cRecommendations\n\n  1.   Ensure future upgrade projects include proper planning and controls\n       such as an independent third-party verification of data/schedule\n       moves and proper supporting documentation be maintained.\n\n  2.   Implement a process to periodically verify the master backup\n       schedule complies with customer requirements.\n\n  3.   Review and consider purchasing automated solutions that would\n       (1) detect servers not currently included in the master backup\n       schedule and (2) monitor information flowing on the network and\n       stored on servers which would help identify PII.\n\n  4.   Implement a process to ensure (1) HPSD information regarding the\n       service level and disaster recovery level matches the requirements\n       in the service level agreements; and (2) changes to service level\n       agreements, including non-funded work, are approved by the\n       business unit responsible for the application(s).\n\n\n                         TVA RESTRICTED INFORMATION                          15\n\x0cRecommendations (cont\xe2\x80\x99d)\n  5.   Implement/update procedures for hardware replacement to include:\n        \xe2\x80\x93 Checking HPSD for criticality of system data\n        \xe2\x80\x93 Checking for backups when hardware failure warnings occur\n        \xe2\x80\x93 Verifying disk drive configurations are restored to the appropriate settings\n          after hardware replacement/repair is completed\n        \xe2\x80\x93 Communicate/train system administrators on changes to the procedures\n\n  6.   Implement/update TVA-wide training to emphasize employee and\n       business unit responsibilities for properly securing data which contains\n       personally identifiable and business sensitive information. Consider:\n        \xe2\x80\x93 Targeting business units which routinely handle social security number\n          and other PII for more frequent training\n        \xe2\x80\x93 Including reminders to periodically review electronic and hard copy storage\n          to ensure information is properly secured\n  7.   See Audit 2007-10997, Review of Temporary Shares for Sensitive\n       Information, for additional recommendations regarding properly\n       securing sensitive information.\n                            TVA RESTRICTED INFORMATION                               16\n\x0cRecommendations (cont\xe2\x80\x99d)\n\n   TVA Management\xe2\x80\x99s Comments (See Appendix for entire\n   response)\n   The Executive Vice President, Administration, and Chief Administrative\n   Officer, agreed with our facts, conclusions, and recommendations with\n   one exception. Management provided revised wording regarding the\n   PRIS-[Redacted] work agreement discussed on page 12 of the report.\n\n   Auditor\xe2\x80\x99s Response\n   We concur with management\xe2\x80\x99s proposed actions to implement\n   processes to reduce the risk of future server and backup failures. We\n   have revised the wording on page 12 based on management\xe2\x80\x99s\n   response to the draft report.\n\n\n\n                      TVA RESTRICTED INFORMATION                           17\n\x0cAPPENDIX\nPage 1 of 2\n\x0cAPPENDIX\nPage 2 of 2\n\x0c'